Requirements for C2PA manifests
To include C2PA manifests in your MediaConvert outputs, you need the following:
- MP4 container
-
C2PA manifests are only supported for MP4 outputs.
- C2PA certificate
-
A public certificate chain in PEM format stored in Secrets Manager. The certificate chain should include the signer's certificate and all intermediate certificates, but not the root certificate.
For information about obtaining C2PA-compatible certificates, see https://opensource.contentauthenticity.org/docs/signing/get-cert
For information about Secrets Manager, see the Secrets Manager user guide.
- Amazon KMS key
-
An Amazon KMS key with ECDSA_SHA_256 signing capability. This key is used to sign the C2PA manifest. Currently, MediaConvert only supports the ES256 (ECDSA with SHA-256) signing algorithm.
For information about Amazon KMS, see the Amazon KMS user guide.
- IAM permissions
-
Your MediaConvert service role must have permissions to access the specified Secrets Manager secret and Amazon KMS key. Add the following permissions to your service role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Sign", "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:us-west-2:111122223333:secret:c2pa-certificate-abc123" } ] }
- Size limitations
-
The C2PA manifest has a size limit of 32KB. If your certificate chain or other manifest components exceed this limit, the job will fail with an error.